Hi,

this fixes initial findings of trust-after-aci-refactoring
investigation. Consider this effort still WIP (not this patch though).

https://fedorahosted.org/freeipa/ticket/4385

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

>From eb2c9460b0919ff3dbf3c3d45f19f3fc0fc5c092 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 19 Jun 2014 12:25:56 +0200
Subject: [PATCH] trusts: Allow reading ipaNTSecurityIdentifier in user and
 group objects

https://fedorahosted.org/freeipa/ticket/4385
---
 ACI.txt                 | 4 ++--
 ipalib/plugins/group.py | 1 +
 ipalib/plugins/user.py  | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index cd19fb90fdd0ac1947393aabfd667e46a6f015fc..b320f5656f734ded939fd3e4a9679870f26a2105 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -31,7 +31,7 @@ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certreco
 dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;)
+aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
@@ -117,7 +117,7 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
 dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
+aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 581ee70b635da0f4d85633b7db367229113f9f73..58934ad07c1d20ffcab1427029e60ba896f79ed0 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -150,6 +150,7 @@ class group(LDAPObject):
                 'businesscategory', 'cn', 'description', 'gidnumber',
                 'ipaexternalmember', 'ipauniqueid', 'mepmanagedby', 'o',
                 'objectclass', 'ou', 'owner', 'seealso',
+                'ipaNTSecurityIdentifier'
             },
         },
         'System: Read Group Membership': {
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 2ffc1ef4bd873db4a3d5d3156d9a839b0b8f2881..a752d7883cfaead45030d1dc928eda9cf331b3e3 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -266,7 +266,8 @@ class user(LDAPObject):
             'ipapermdefaultattr': {
                 'objectclass', 'cn', 'sn', 'description', 'title', 'uid',
                 'displayname', 'givenname', 'initials', 'manager', 'gecos',
-                'gidnumber', 'homedirectory', 'loginshell', 'uidnumber'
+                'gidnumber', 'homedirectory', 'loginshell', 'uidnumber',
+                'ipaNTSecurityIdentifier'
             },
         },
         'System: Read User Addressbook Attributes': {
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to